Commit graph

9583 commits

Author SHA1 Message Date
Dr. Stephen Henson
0f776277bc oops, use correct date 2010-02-26 12:13:36 +00:00
Dr. Stephen Henson
5814d829e6 update NEWS 2010-02-25 18:20:30 +00:00
Dr. Stephen Henson
f6bb465f87 update FAQ 2010-02-25 18:18:46 +00:00
Dr. Stephen Henson
db28aa86e0 add -trusted_first option and verify flag 2010-02-25 12:21:48 +00:00
Dr. Stephen Henson
2da2ff5065 tidy verify code. xn not used any more and check for self signed more efficiently 2010-02-25 11:18:26 +00:00
Dr. Stephen Henson
fbd2164044 Experimental support for partial chain verification: if an intermediate
certificate is explicitly trusted (using -addtrust option to x509 utility
for example) the verification is sucessful even if the chain is not complete.
2010-02-25 00:17:22 +00:00
Dr. Stephen Henson
04e4b82726 allow setting of verify names in command line utilities and print out verify names in verify utility 2010-02-25 00:11:32 +00:00
Dr. Stephen Henson
9b3d75706e verify parameter enumeration functions 2010-02-25 00:08:23 +00:00
Dr. Stephen Henson
b1efb7161f Include self-signed flag in certificates by checking SKID/AKID as well
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
2010-02-25 00:01:38 +00:00
Dr. Stephen Henson
df4c395c6d add anyExtendedKeyUsage OID 2010-02-24 15:53:58 +00:00
Dr. Stephen Henson
385a488c43 prevent warning 2010-02-24 15:24:19 +00:00
Andy Polyakov
ea746dad5e Reserve for option to implement AES counter in assembler. 2010-02-23 16:51:24 +00:00
Andy Polyakov
d976f99294 Add AES counter mode to EVP. 2010-02-23 16:48:41 +00:00
Andy Polyakov
e5a4de9e44 Add assigned OIDs, as well as "anonymous" ones for AES counter mode. 2010-02-23 16:47:17 +00:00
Dr. Stephen Henson
7d3d1788a5 The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were reversed in
the verify application documentation.
2010-02-23 14:09:09 +00:00
Bodo Möller
2d9dcd4ff0 Always check bn_wexpend() return values for failure (CVE-2009-3245).
(The CHANGES entry covers the change from PR #2111 as well, submitted by
Martin Olsson.)

Submitted by: Neel Mehta
2010-02-23 10:36:35 +00:00
Bodo Möller
a839755329 Fix X509_STORE locking 2010-02-19 18:27:07 +00:00
Dr. Stephen Henson
69582a592e clarify documentation 2010-02-18 12:41:33 +00:00
Dr. Stephen Henson
7512141162 OR default SSL_OP_LEGACY_SERVER_CONNECT so existing options are preserved 2010-02-17 19:43:56 +00:00
Dr. Stephen Henson
c2c49969e2 Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:38:31 +00:00
Dr. Stephen Henson
47e0a1c335 PR: 2100
Submitted by: James Baker <jbaker@tableausoftware.com> et al.

Workaround for slow Heap32Next on some versions of Windows.
2010-02-17 14:32:41 +00:00
Dr. Stephen Henson
439aab3afc Submitted by: Dmitry Ivanov <vonami@gmail.com>
Don't leave dangling pointers in GOST engine if calls fail.
2010-02-16 14:30:29 +00:00
Dr. Stephen Henson
8d934c2585 PR: 2171
Submitted by: Tomas Mraz <tmraz@redhat.com>

Since SSLv2 doesn't support renegotiation at all don't reject it if
legacy renegotiation isn't enabled.

Also can now use SSL2 compatible client hello because RFC5746 supports it.
2010-02-16 14:21:11 +00:00
Dr. Stephen Henson
1458b931eb The "block length" for CFB mode was incorrectly coded as 1 all the time. It
should be the number of feedback bits expressed in bytes. For CFB1 mode set
this to 1 by rounding up to the nearest multiple of 8.
2010-02-15 19:40:16 +00:00
Dr. Stephen Henson
20eb7238cb Correct ECB mode EVP_CIPHER definition: IV length is 0 2010-02-15 19:26:02 +00:00
Dr. Stephen Henson
79cfc3ac54 add EVP_CIPH_FLAG_LENGTH_BITS from 0.9.8-stable 2010-02-15 19:20:13 +00:00
Dr. Stephen Henson
918a5d04e4 PR: 2164
Submitted by: "Noszticzius, Istvan" <inoszticzius@rightnow.com>

Don't clear the output buffer: ciphers should correctly the same input
and output buffers.
2010-02-15 19:00:12 +00:00
Dr. Stephen Henson
f959598866 update references to new RI RFC 2010-02-12 21:59:31 +00:00
Dr. Stephen Henson
5a9e3f05ff PR: 2170
Submitted by: Magnus Lilja <lilja.magnus@gmail.com>

Make -c option in dgst work again.
2010-02-12 17:07:16 +00:00
Dr. Stephen Henson
29e722f031 Fix memory leak in ENGINE autoconfig code. Improve error logging. 2010-02-09 14:17:14 +00:00
Dr. Stephen Henson
05566760da update year 2010-02-09 14:12:49 +00:00
Dr. Stephen Henson
e3e31ff482 Use supplied ENGINE when initialising CMAC. Restore pctx setting. 2010-02-08 16:31:28 +00:00
Dr. Stephen Henson
bae060c06a add cvsignore 2010-02-08 15:34:02 +00:00
Dr. Stephen Henson
0ff907caf8 Make update. 2010-02-08 15:33:23 +00:00
Dr. Stephen Henson
c8ef656df2 Make CMAC API similar to HMAC API. Add methods for CMAC. 2010-02-08 15:31:35 +00:00
Dr. Stephen Henson
8c968e0355 Initial experimental CMAC implementation. 2010-02-07 18:01:07 +00:00
Dr. Stephen Henson
cc0661374f make update 2010-02-07 13:54:30 +00:00
Dr. Stephen Henson
089f02c577 oops, use new value for new flag 2010-02-07 13:50:36 +00:00
Dr. Stephen Henson
c2bf720842 Add missing function EVP_CIPHER_CTX_copy(). Current code uses memcpy() to copy
an EVP_CIPHER_CTX structure which may have problems with external ENGINEs
who need to duplicate internal handles etc.
2010-02-07 13:39:39 +00:00
Dr. Stephen Henson
c95bf51167 don't assume 0x is at start of string 2010-02-03 18:19:22 +00:00
Dr. Stephen Henson
2712a2f625 tolerate broken CMS/PKCS7 implementations using signature OID instead of digest 2010-02-02 14:30:39 +00:00
Dr. Stephen Henson
17ebc10ffa PR: 2161
Submitted by: Doug Goldstein <cardoe@gentoo.org>, Steve.

Make no-dsa, no-ecdsa and no-rsa compile again.
2010-02-02 13:35:27 +00:00
Dr. Stephen Henson
434745dc19 PR: 2160
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Make session tickets work with DTLS.
2010-02-01 16:51:09 +00:00
Dr. Stephen Henson
b380f9b884 PR: 2159
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Typo in PR#1949 bug, oops!
2010-02-01 12:43:45 +00:00
Richard Levitte
749af8cb61 Typo. 2010-01-29 12:07:46 +00:00
Richard Levitte
1d62de0395 The previous take went wrong, try again. 2010-01-29 12:02:50 +00:00
Richard Levitte
d7b99700c0 Architecture specific header files need special handling. 2010-01-29 11:44:36 +00:00
Richard Levitte
cd6bc02b29 If opensslconf.h and buildinf.h are to be in an architecture specific
directory, place it in the same tree as the other architecture
specific things.
2010-01-29 11:43:50 +00:00
Dr. Stephen Henson
da454e4c67 typo 2010-01-29 00:09:33 +00:00
Dr. Stephen Henson
08c239701b Experimental renegotiation support in s_server test -www server. 2010-01-28 19:48:36 +00:00